ISE 1.2 VM core

Similar Messages

• ISE wireless with HP core switch

  Hi all,
  We are planning to implement ISE for Wireless users. Our core switch is HP and our WLC is 5500.
  I would like to know if we need to change our core switch so that we can use ISE or there is no need to change it.

  You'd need 2 separate SSIDs as the access method will be different for each, e.g:
  Employee - WPA2 and 802.1x
  Guest - Webauth
  You don't have to have a quarantine, we do but it's not essential.
  For your employee WLAN you could have just one VLAN or you could have multiple. We started off with just one for our employee WLAN but now we've got several on each WLC (laptops, medical devices, etc.). I would suggest starting off simple with one.
  Your employee WLAN clients won't get an address until after they authenticate so you don't need a VLAN before then.

• Virtex6:Configuration data download to FPGA was not successful. DONE did not go high, please check your configuration setup and mode settings

  Hello，everyone.
  I am using virtex6 FPGA and trying to download mcs file to PROM and have failed.
  I download .bit file to FPGA and succeed.
  When i try to download .mcs file to PROM XCF128X-FTG64C(BPI Flash) and choose Slave SelectMAP Mode
  and the process is about 68% it fails.
  The message below the IMapct is as belows:
  done.
  PROGRESS_END - End Operation.
  Elapsed time =      0 sec.
  // *** BATCH CMD : identifyMPM
  // *** BATCH CMD : assignFile -p 1 -file "C:/Users/Administrator/Desktop/TEST/LED/led.bit"
  '1': Loading file 'C:/Users/Administrator/Desktop/TEST/LED/led.bit' ...
  done.
  INFO:iMPACT:2257 - Startup Clock has been changed to 'JtagClk' in the bitstream stored in memory,
  but the original bitstream file remains unchanged.
  UserID read from the bitstream file = 0xFFFFFFFF.
  INFO:iMPACT:501 - '1': Added Device xc6vlx240t successfully.
  INFO:iMPACT - Current time: 2014/3/13 8:48:14
  // *** BATCH CMD : Program -p 1
  PROGRESS_START - Starting Operation.
  Maximum TCK operating frequency for this device chain: 66000000.
  Validating chain...
  Boundary-scan chain validated successfully.
  INFO:iMPACT - 1: Over-temperature condition detected! [ 230.52C >  120.00C]
  1: Device Temperature: Current Reading:  230.52 C, Max. Reading:  230.52 C
  1: VCCINT Supply: Current Reading:   2.997 V, Max. Reading:   2.997 V
  1: VCCAUX Supply: Current Reading:   2.997 V, Max. Reading:   2.997 V
  '1': Programming device...
   Match_cycle = NoWait.
  Match cycle: NoWait
   LCK_cycle = NoWait.
  LCK cycle: NoWait
  done.
  INFO:iMPACT:2219 - Status register values:
  INFO:iMPACT - 0011 1111 0111 1110 0100 1011 1100 0000
  INFO:iMPACT:579 - '1': Completed downloading bit file to device.
  INFO:iMPACT:188 - '1': Programming completed successfully.
   Match_cycle = NoWait.
  Match cycle: NoWait
   LCK_cycle = NoWait.
  LCK cycle: NoWait
  INFO:iMPACT - '1': Checking done pin....done.
  '1': Programmed successfully.
  PROGRESS_END - End Operation.
  Elapsed time =     23 sec.
  Selected part: XCF128X
  // *** BATCH CMD : attachflash -position 1 -bpi "XCF128X"
  // *** BATCH CMD : assignfiletoattachedflash -position 1 -file "C:/Users/Administrator/Desktop/TEST/LED/leda.mcs"
  INFO:iMPACT - Current time: 2014/3/13 8:49:32
  // *** BATCH CMD : Program -p 1 -dataWidth 16 -rs1 NONE -rs0 NONE -bpionly -e -v -loadfpga
  PROGRESS_START - Starting Operation.
  Maximum TCK operating frequency for this device chain: 66000000.
  Validating chain...
  Boundary-scan chain validated successfully.
  INFO:iMPACT - 1: Over-temperature condition detected! [ 230.52C >  120.00C]
  1: Device Temperature: Current Reading:  230.52 C, Max. Reading:  230.52 C
  1: VCCINT Supply: Current Reading:   2.997 V, Max. Reading:   2.997 V
  1: VCCAUX Supply: Current Reading:   2.997 V, Max. Reading:   2.997 V
  '1': BPI access core not detected. BPI access core will be downloaded to the device to enable operations.
  INFO:iMPACT - Downloading core file D:/Xilinx/14.3/ISE_DS/ISE/virtex6/data/xc6vlx240t_jbpi.cor.
  '1': Downloading core...
   Match_cycle = NoWait.
  Match cycle: NoWait
   LCK_cycle = NoWait.
  LCK cycle: NoWait
  done.
  INFO:iMPACT:2219 - Status register values:
  INFO:iMPACT - 0011 1111 0111 1110 0100 1011 1100 0000
  INFO:iMPACT:2492 - '1': Completed downloading core to device.
  Current cable speed is set to 6.000 Mhz.
  Cable speed is default to 3Mhz or lower for BPI operations.
  Current cable speed is set to 3.000 Mhz.
  Setting Flash Control Pins ...
  Setting Configuration Register ...
  Populating BPI common flash interface ...
  Common Flash Interface Information Query completed successfully.
  INFO:iMPACT - Common Flash Interface Information from Device:
  INFO:iMPACT - Verification string:  51 52 59
  INFO:iMPACT - Manufacturer ID:         49
  INFO:iMPACT - Vendor ID:              01
  INFO:iMPACT - Device Code:            18
  Setting Flash Control Pins ...
  Using x16 mode ...
  Setting Flash Control Pins ...
  Setting Configuration Register ...
  '1': Erasing device...
  '1': Start address = 0x00000000, End address = 0x008CE03B.
  done.
  '1': Erasure completed successfully.
  Setting Flash Control Pins ...
  Using x16 mode ...
  Setting Flash Control Pins ...
  Setting Configuration Register ...
  INFO:iMPACT - Using Word Programming.
  '1': Programming Flash.
  done.
  Setting Flash Control Pins ...
  '1': Flash Programming completed successfully.
  Using x16 mode ...
  Setting Flash Control Pins ...
  Setting Configuration Register ...
  '1': Reading device contents...
  done.
  '1': Verification completed.
  Setting Flash Control Pins ...
  Current cable speed is resumed to 6.000 Mhz.
  '1': Configuration data download to FPGA was not successful. DONE did not go high, please check your configuration setup and mode settings.
  `Elapsed time =    814 sec.
  and i find many people have met the same thing. But they are spartan  series FPGA and i try to low the Resistances of Mode pins,M0 M1 and M2, but the problem does not been solved.
  I have read the status Registers and find there is an over-temperature state 
  and in Impact i could not readback the registers. It is strange.
  I am anxious about this problem and have not solved it yet
  What reasons may it be?
  Hope for your answer, thank you

  Hi~I want to know if you solve the configuration problem for virtex-6?
  As I encounter the  same configuration problem, I want to consult  you with some question.
  Can I have your email?
  gszakacs wrote:
  I have measured the VCCINT and find it is 1.0V, not 2.997V;
  That is not at all surprising.  I always assumed the problem is with reading the XADC (system monitor) block and not with the voltage or temperature.
  my Reference board is ML605
  That would have been nice to know at the beginning...
  It seems that you have selected the correct mode, assuming your jumpers are set as required in the ML605 Hardware User's Guide.  See table 1-27, table 1-33 and the note below it about switch S1.
  I'm not that familiar with the details of this reference design, but it may be that the slave SelectMap circuitry requires a reset or power cycle to actually configure the FPGA.  Have you tried power-cycling to see if the FPGA boots from the flash?
  I'd also suggest that you select the V6 in the JTAG chain view, then go to the debug menu of Impact and select Read Device Status (this is from memory, but it's something like that).  That will not only show the bits of the configuration status register, but also describe what each bit means.  Among other things you can check the state of the FPGA's configuration logic and the Mode pins.
   

• Configuration data download to FPGA was not successful.

  I have designed a board with the Spartan 6 LX9 TQFP144 Package.
  I am able to load a bitstream to the device with the digilent HS-2. However the fpga can not selfconfigure from
  the attached SPI Flash.
  Here is the console output from iMPACT:
  GUI --- Auto connect to cable...
  INFO:iMPACT - Digilent Plugin: Plugin Version: 2.4.4
  INFO:iMPACT - Digilent Plugin: found 1 device(s).
  INFO:iMPACT - Digilent Plugin: opening device: "JtagHs2", SN:210249983579
  INFO:iMPACT - Digilent Plugin: User Name: JtagHs2
  INFO:iMPACT - Digilent Plugin: Product Name: Digilent JTAG-HS2
  INFO:iMPACT - Digilent Plugin: Serial Number: 210249983579
  INFO:iMPACT - Digilent Plugin: Product ID: 30900152
  INFO:iMPACT - Digilent Plugin: Firmware Version: 0109
  INFO:iMPACT - Digilent Plugin: JTAG Port Number: 0
  INFO:iMPACT - Digilent Plugin: JTAG Clock Frequency: 10000000 Hz
  Attempting to identify devices in the boundary-scan chain configuration...
  INFO:iMPACT - Current time: 27.07.2015 16:19:26
  PROGRESS_START - Starting Operation.
  Identifying chain contents...'0': : Manufacturer's ID = Xilinx xc6slx9, Version : 2
  INFO:iMPACT:1777 -
  Reading C:/Xilinx/ISE/14.7/ISE_DS/ISE/spartan6/data/xc6slx9.bsd...
  INFO:iMPACT:501 - '1': Added Device xc6slx9 successfully.
  done.
  PROGRESS_END - End Operation.
  Elapsed time =      0 sec.
  Selected part: N25Q128
  Unprotect sectors: FALSE
  INFO:iMPACT - Current time: 27.07.2015 16:20:19
  PROGRESS_START - Starting Operation.
  Maximum TCK operating frequency for this device chain: 25000000.
  Validating chain...
  Boundary-scan chain validated successfully.
  '1': SPI access core not detected. SPI access core will be downloaded to the device to enable operations.
  INFO:iMPACT - Downloading core file C:/Xilinx/ISE/14.7/ISE_DS/ISE/spartan6/data/xc6slx9_spi.cor.
  '1': Downloading core...
   LCK_cycle = NoWait.
  LCK cycle: NoWait
  done.
  '1': Reading status register contents...
  INFO:iMPACT:2219 - Status register values:
  INFO:iMPACT - 0011 1100 1110 1100
  INFO:iMPACT:2492 - '1': Completed downloading core to device.
  '1': IDCODE is '20ba18' (in hex).
  '1': ID Check passed.
   '1': IDCODE is '20ba18' (in hex).
  '1': ID Check passed.
   '1': Erasing Device.
  '1': Using Sector Erase.
  '1': Programming Flash.
  '1': Reading device contents...
  done.
  '1': Verification completed.
  '1':Programming in x4 mode.
  '1': Configuration data download to FPGA was not successful. DONE did not go high, please check your configuration setup and mode settings.
  INFO:iMPACT - '1': Flash was not programmed successfully.
  PROGRESS_END - End Operation.
  Elapsed time =     78 sec.
  If i read that correctly Data was written to the Flash but the fpga was not able to configure from that data.
  Done-pin is connected to 3.3V via a 470 Ohms Resisor.
  The Flash is a N25Q128A13ESE40G, Datasheet here: http://www.farnell.com/datasheets/1674445.pdf
  I can perform a readback, checksum and an erase.
  If i do a read device status this is the console output:
  INFO:iMPACT - Current time: 27.07.2015 16:36:27
  Maximum TCK operating frequency for this device chain: 25000000.
  Validating chain...
  Boundary-scan chain validated successfully.
  '1': IDCODE is '20ba18' (in hex).
  '1': ID Check passed.
   '1': IDCODE is '20ba18' (in hex).
  '1': ID Check passed.
   '1': IDCODE is '20ba18' (in hex).
  '1': ID Check passed.
   INFO:iMPACT - '1': Reloading FPGA configuration data stored in flash...
  INFO:iMPACT:182 - done.
  On the Flash side I have pulled s# and Hold up to 3.3V with 100k Resistors.
  Can someone help me to find the problem?

  So does the FPGA try to read the SPI flash when it boots ?
  out with scope, probe the clock and the data , see if you can see it streamig out when you boot.
  If so, then one other thing I see wrong a few times is data path of the SPI, single bit or 4 bits of data.
      you have to make certain the bit file was created in the same width as the fgpa is expecting,
        In ISE I think its in Impact where you make the SPI flash file and specify this .
   

• Indirect SPI programming fail

  I'm having a problem programming my SPI PROM used for Spartan-6 configuration. My FPGA is the xc6slx45. The SPI hardware is just like in Figure 2-12 of ug380. I'm using a Numonyx M25P32 SPI Flash. I'm attempting to program using ISE iMPACT. I've gone through the procedures in help for "Creating SPI PROM files - Single FPGAs" and "Programming an SPI or BPI Flash Memory through an FPGA". I've done "Boundary Scan" and "Create PROM File (PROM File Formatter)". From the iMPACT boundary scan window when I right click the flash part and select program I get the following:
  INFO:iMPACT - Current time: 7/15/2015 8:39:59 AM
  PROGRESS_START - Starting Operation.
  Maximum TCK operating frequency for this device chain: 25000000.
  Validating chain...
  Boundary-scan chain validated successfully.
  '1': SPI access core not detected. SPI access core will be downloaded to the device to enable operations.
  INFO:iMPACT - Downloading core file C:/Xilinx/14.7/ISE_DS/ISE/spartan6/data/xc6slx45_spi.cor.
  '1': Downloading core...
  LCK_cycle = NoWait.
  LCK cycle: NoWait
  done.
  '1': Reading status register contents...
  INFO:iMPACT:2219 - Status register values:
  INFO:iMPACT - 0000 0000 0000 0000
  INFO:iMPACT:2492 - '1': Completed downloading core to device.
  INFO:iMPACT - '1': Flash was not programmed successfully.
  PROGRESS_END - End Operation.
  Elapsed time = 2 sec.
  If I monitor the SPI connections on the flash I see CSO_B activate but I don't see any activity on MOSI.
   

  No luck with 14.1. Here's the console output:
  GUI --- Auto connect to cable...
  INFO:iMPACT - Digilent Plugin: Plugin Version: 2.4.4
  INFO:iMPACT - Digilent Plugin: no JTAG device was found.
  AutoDetecting cable. Please wait.
  PROGRESS_START - Starting Operation.
  Connecting to cable (Usb Port - USB21).
  Checking cable driver.
  Driver file xusbdfwu.sys found.
  Driver version: src=1027, dest=1027.
  Driver windrvr6.sys version = 11.7.0.0. WinDriver v11.7.0 Jungo Connectivity (c) 1997 - 2014 Build Date: Oct 26 2014 x86_64 64bit SYS 09:16:51, version = 1170.
  Cable PID = 0008.
  Max current requested during enumeration is 300 mA.
  Type = 0x0005.
  Cable Type = 3, Revision = 0.
  Setting cable speed to 6 MHz.
  Cable connection established.
  Firmware version = 2401.
  File version of C:/Xilinx/14.1/ISE_DS/ISE/data/xusb_xp2.hex = 2401.
  Firmware hex file version = 2401.
  PLD file version = 200Dh.
  PLD version = 200Dh.
  PROGRESS_END - End Operation.
  Elapsed time = 1 sec.
  Type = 0x0005.
  ESN option: 000015DE6D9E01.
  INFO:iMPACT - Current time: 7/15/2015 10:01:49 AM
  PROGRESS_START - Starting Operation.
  Maximum TCK operating frequency for this device chain: 25000000.
  Validating chain...
  Boundary-scan chain validated successfully.
  '1': SPI access core not detected. SPI access core will be downloaded to the device to enable operations.
  INFO:iMPACT - Downloading core file C:/Xilinx/14.1/ISE_DS/ISE/spartan6/data/xc6slx45_spi.cor.
  '1': Downloading core...
  LCK_cycle = NoWait.
  LCK cycle: NoWait
  done.
  '1': Reading status register contents...
  INFO:iMPACT:2219 - Status register values:
  INFO:iMPACT - 0000 0000 0000 0000
  INFO:iMPACT:2492 - '1': Completed downloading core to device.
  INFO:iMPACT - '1': Flash was not programmed successfully.
  PROGRESS_END - End Operation.
  Elapsed time = 4 sec.

• Use of second interface (eth1) on ISE

  Hi. I am seting up a two-node deployment of ISE (3315 - version 1.2.0.899). Both appliances will be connected to my two core switches.
  I would like to know if I just have to configure one ethernet interface (eth0) on each ISE server and then connect each eth0 to a different swithch. Or, in order to get more redundancy, should I configure both ethernet interfaces on each ISE appliance and then connect eth0 to switch 1 and eth1 to switch2 on both appliances?
  Thank you

  yes, you can do that , as all the ports can be used for replication and synchronization but for management is restricted to Eth0 only.

• Disk size in ise

  Hi
  I have a strange problem after instaling licenses in ISE the following information is in a "show tech"
  This info is for 1.3 clean install + license.
  % WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
  % RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 0 GB
  It is the same in the Eval version but in this server there is a 2500 license
  The same is observed in both ISE 1.2.1 and 1.3 (running a POC on ISE)
  When trying to upgrade ISE 1.2.1 > 1.3 the following output
  Getting bundle to local machine...
   md5: ad7d87d383661bce671804a9e125e42b
   sha256: 2a7ebe5196e3d956ac42ec2e5acdf3815a3e0f80db954b58e2c68843bb3c42fd
  % Please confirm above crypto hash matches what is posted on Cisco download site.
  % Continue? Y/N [Y] ? Y
  Unbundling Application Package...
  Initiating Application Upgrade...
  % Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
  -Checking VM for minimum hardware requirements
  % Error: At least 100GB sized hard disk required for upgrade.
  the disk is
  Hard Disk Count(*): 1
  Disk 0: Device Name: /dev/sda
  Disk 0: Capacity: 644.20 GB
  Disk 0: Geometry: 255 heads 63 sectors/track 78325 cylinders
  Thanks 
  Erik Loeth

  Attached is the output from VMware, this is made with the OVA
  ISE-1.3.0.876-virtual-SNS3495-2.ova
  The disk output from show inventory
  NAME: "ISE-VM-K9          chassis", DESCR: "ISE-VM-K9          chassis"
  PID: ISE-VM-K9         , VID: V01 , SN: XXXXXXXXXXXXXXX
  Total RAM Memory: 16467264 kB
  CPU Core Count: 4
  CPU 0: Model Info: Intel(R) Xeon(R) CPU E7- 4870  @ 2.40GHz
  CPU 1: Model Info: Intel(R) Xeon(R) CPU E7- 4870  @ 2.40GHz
  CPU 2: Model Info: Intel(R) Xeon(R) CPU E7- 4870  @ 2.40GHz
  CPU 3: Model Info: Intel(R) Xeon(R) CPU E7- 4870  @ 2.40GHz
  Hard Disk Count(*): 1
  Disk 0: Device Name: /dev/sda
  Disk 0: Capacity: 644.20 GB
  Disk 0: Geometry: 255 heads 63 sectors/track 78325 cylinders
  NIC Count: 1
  NIC 0: Device Name: eth0
  NIC 0: HW Address: XXXXXXXXXXXXXXXXXX
  NIC 0: Driver Descr: Intel(R) PRO/1000 Network Driver
  (*) Hard Disk Count may be Logical.
  Reards
  Erik Loeth

• ISE 1.2 SNS-3415 NIC Bonding / Teaming

  Hello,
  I have installed the SNS-3415 with ISE 1.2 and i'm trying to setup redundnacy (Team) nic modes for the authentication requests and not for management purpose.
  The tests showed that when the one interface was unpluged everything was lost and nobody from our internal users was able to authenticated by the ISE node.
  In contrast when i was unpluged the " second interface " (probably the inactive ) nothing was happened which shows that is a useless  interface
  My purpose is to connect it to my twins core switches and have a full high availability deployment.
  - I have search enough on the WEB but i didn't found any clear and precisely document of saying how this could be achieved.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_hw_ins_ucs.html#wp1185589
  Themis

  ISE 1.2 does not support NIC teaming.  Especially on appliances.  There is a workaround for VM using the ESXi host to team the NICs so that it is transparent to the VM.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE 1.2.1 Complaining about High latency - can´t figure out why.

  Hello! 
  my 2 node (16 core, 32 GB Ram, SAN) ISE installation on VMWARE is, complaining about High latency. I have about 250 Test clients connected, and the VMWARE guys can´t seem to find anything wrong. Is there anyway to get a more detailed test WHAT actually is causing this high latency? CPU´s are idling, ram is at 2% and disk I/O is almost not messurable.. but the software is still complaining. (the Dashboard shows latency at 100+ ms) I think this might be the external CA, againt which the client certificates are run. but I don´t know if I can test this theorie! 
  I have 2 Hardware Appliances coming, but I thought my Test enviroment should be more then enough to handel 250 clients.. I am abit concerned about the going live with 5000 clients in the future.. if it is already complaining with 250 active clients. 
  and yes, I will be splitting the tasks up between the 2 Physical Boxes (Profiling and such) and the 2 VM Boxes (Management) but at the moment, for 250 clients the 2 VM´s should be enough. 

  I have a couple of my customers complaining about this as well. I believe it is cosmetic and it is due to this bug CSCup97285
  The suggested action for this alarm in ISE is:
  Check if the system has sufficient resources, Check the actual amount of work on the system for example, no of authentications, profiler activity etc.., Add additional server to distribute the load
  I have confirmed with both clients that the appropriate resources were allocated and reserved in VM. In addition, neither client is reporting any issues so this leads me to believe that it is just a cosmetic bug.
  Thank you for rating helpful posts!

• ISE v1.1 NAD 6500 failed to decrypt Key......

  Hello everyone ,
  I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
  My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.
  Here is the network topology:
  DNSs are fully resolvable forward and reverse zone and  ISEs, AD, WLC and SW Core are synched with the same NTP server.
  As I mentioned Authentication and Authorization were working fine. Two weekends ago there was an electrical outage in the office. When the ISEs servers came up, the trust relationship between AD and ISEs was broken and so was HA replication. I did some troubleshoot to delete and install new certificates from AD into both ISEs and build again the HA configuration. I finally got the ISEs working fine again.
  This last weekend, another electrical outage occurs in the office (client is working with a temporary plant and is already warned about electrical damages not covered by warranty) and the ISE servers came up in the same condition again, no trust relationship with AD (Domain Controller). So I fix this again by deleting and installing new certificates into ISE. The problem is that for some reason the NAD 6500 is not authenticating to the ISE. I´m receiving the following debug messages in the SW:
  Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
  Sep 12 17:41:00.222: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
  Sep 12 17:41:00.222: RADIUS(00000000): Started 5 sec timeout
  Sep 12 17:41:00.226: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
  Sep 12 17:41:00.226: RADIUS:  authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
  Sep 12 17:41:00.226: RADIUS: response-authenticator decrypt fail, pak len 20
  Sep 12 17:41:00.226: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:00.226: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
  Sep 12 17:41:00.226: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:00.226: RADIUS: request  authen: 41EAE3A7DAEE6332CE646436F949C5A1
  Sep 12 17:41:00.226: RADIUS: Response (165) failed decrypt
  Sep 12 17:41:05.110: RADIUS(00000000): Request timed out
  Sep 12 17:41:05.110: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
  Sep 12 17:41:05.110: RADIUS(00000000): Started 5 sec timeout
  Sep 12 17:41:05.114: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
  Sep 12 17:41:05.114: RADIUS:  authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
  Sep 12 17:41:05.114: RADIUS: response-authenticator decrypt fail, pak len 20
  Sep 12 17:41:05.114: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:05.114: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
  Sep 12 17:41:05.114: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
  Sep 12 17:41:05.114: RADIUS: request  authen: 41EAE3A7DAEE6332CE646436F949C5A1
  Sep 12 17:41:05.114: RADIUS: Response (165) failed decrypt
  Sep 12 17:41:10.438: RADIUS(00000000): Request timed out
  Sep 12 17:41:10.438: RADIUS: No response from (172.16.3.5:1812,1813) for id 1645/165
  Sep 12 17:41:10.438: RADIUS/DECODE: parse response no app start; FAIL
  Sep 12 17:41:10.438: RADIUS/DECODE: parse response; FAIL
  Sep 12 17:41:13.682: %MAB-5-FAIL: Authentication failed for client (a44c.11ca.eadf) on Interface Gi1/29
  Sep 12 17:41:13.682: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (a44c.11ca.eadf) on Interface Gi1/29
  Sep 12 17:41:13.682: %AUTHMGR-5-FAIL: Authorization failed for client (a44c.11ca.eadf) on Interface Gi1/29
  Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
  I have deleted and created again the 6500 NAD in the ISE, and configured againd the Radius-Key in the 6500 making sure they are exactly the same. But I keep receiving the same errors.
  I have already reviewed the following links:
  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37err.html
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1061989
  http://puck.nether.net/pipermail/cisco-nas/2004-May/000686.html
  And the troubleshooting section from the Cisco Identity Services Engine User Guide, Release 1.0.4
  Everything points me that the Radius Key between ISE and the 6500SW is wrong, but I´ve configured it again twice and typed it letter by letter slowly to avoid any typos.
  ISE version: 1.1.0.665
  ADE OS: 2
  Active Directory: Windows 2008 R2 Standard
  6500 SW Config:
  Building configuration...
  Current configuration : 65413 bytes
  ! Last configuration change at 12:22:42 MXVeran Tue Jul 31 2012 by ho1a
  ! NVRAM config last updated at 22:21:11 MXVeran Mon Jul 30 2012 by ho1a
  version 15.0
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  service compress-config
  service counters max age 5
  boot-start-marker
  boot system flash bootdisk:
  boot-end-marker
  logging buffered 64000
  enable secret 5 $1$QoxK$w6sZJ66pXDMLS1lGPp3KR.
  username ho1a privilege 15 secret 5 $1$DYMo$O8BQi2u.emzdCFfNMxCTd.
  username test-radius password 7 14141B180F0B7B7977
  aaa new-model
  aaa authentication login Tr3s41ia.2012 local
  aaa authentication dot1x default group radius
  aaa authorization exec default local
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa accounting system default start-stop group radius
  aaa server radius dynamic-author
  client 172.16.3.5 server-key 7 110A1016141D5A5E57
  aaa session-id common
  platform ip cef load-sharing ip-only
  platform rate-limit layer2 port-security pkt 300 burst 10
  clock timezone MXInv -6
  clock summer-time MXVerano recurring
  authentication critical recovery delay 1000
  interface GigabitEthernet8/1
  switchport
  switchport access vlan 2
  switchport mode access
  ip access-group ACL_ISE_Default in
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  spanning-tree portfast edge
  ip default-gateway 172.16.3.2
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip route 0.0.0.0 0.0.0.0 172.16.3.2
  ip radius source-interface Vlan3 vrf default
  logging origin-id ip
  logging source-interface Vlan3
  logging host 172.16.3.5 transport udp port 20514
  snmp-server group Tr3s41ia.2012aes v3 priv
  snmp-server group Tr3s41ia.2012md5 v3 auth
  snmp-server community public RO
  snmp-server community tresaliarw RW
  snmp-server community tresaliaro RO
  snmp-server trap-source Vlan3
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps memory bufferpeak
  no snmp-server enable traps entity-sensor threshold
  snmp-server enable traps cpu threshold
  snmp-server enable traps vtp
  snmp-server enable traps flash insertion removal
  snmp-server enable traps mac-notification move change
  snmp-server enable traps errdisable
  snmp-server host 172.16.3.4 version 3 priv Tr3s41ia.2012aes
  snmp-server host 172.16.3.4 version 3 auth Tr3s41ia.2012md5
  snmp-server host 172.16.3.5 version 2c tresaliaro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host 172.16.3.5 auth-port 1812 acct-port 1813 test username test-radius key 7 104D000A061843595F
  radius-server vsa send accounting
  radius-server vsa send authentication
  control-plane
  service-policy input policy-default-autocopp
  line con 0
  logging synchronous
  login authentication Tr3s41ia.2012
  line aux 0
  line vty 0 4
  login authentication defaulTr3s41ia.2012
  transport input ssh
  line vty 5 1509
  login authentication defaulTr3s41ia.2012
  transport input ssh
  ntp clock-period 17179836
  ntp peer 172.16.4.9
  no event manager policy Mandatory.go_switchbus.tcl type system
  end
  Additionaly, I´m getting the following screen when accesing the Stand-by server via https:
  I´m thinking that there might be some problems with the CA Certificates installed on ISEs, or some corrupted data due to the 2 sudden restarts.
  Any help, hint or direction will be really appreciated.
  Thanks in advanced for your time. Best Regards.

  Hello Tarik, thanks for your response,
  I´ll go ahead and remove and configure again the complete radius configuration on the SW and let you know what happens, if this doesn´t work I´m thinking that re-installing the ISE server might be the solution. It´s was working fine after the fresh install.
  I use the command "test aaa group radius username password new-code" to test SW communication to ISE and here is the debug output from the SW:
  Sep 12 20:42:59.713: RADIUS/ENCODE(00000000):Orig. component type = INVALID
  Sep 12 20:42:59.713: RADIUS(00000000): Config NAS IP: 172.16.3.1
  Sep 12 20:42:59.713: RADIUS(00000000): sending
  Sep 12 20:42:59.713: RADIUS(00000000): Send Access-Request to 172.16.3.5:1812 id 1645/93, len 56
  Sep 12 20:42:59.713: RADIUS:  authenticator 24 52 30 41 B7 06 74 CE - C7 4B 7B FF 87 88 F7 23
  Sep 12 20:42:59.713: RADIUS:  User-Password       [2]   18  *
  Sep 12 20:42:59.713: RADIUS:  User-Name           [1]   6   test
  Sep 12 20:42:59.713: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Sep 12 20:42:59.713: RADIUS:  NAS-IP-Address      [4]   6   172.16.3.1               
  Sep 12 20:42:59.713: RADIUS(00000000): Started 5 sec timeout
  Sep 12 20:43:14.485: RADIUS(00000000): Started 5 sec timeout
  Sep 12 20:43:14.489: RADIUS: Received from id 1645/93 172.16.3.5:1812, Access-Reject, len 20
  Sep 12 20:43:14.489: RADIUS:  authenticator B2 89 18 4B F5 D8 D6 67 - 85 4D 1E C3 DE C9 06 85
  Sep 12 20:43:14.489: RADIUS: response-authenticator decrypt fail, pak len 20
  Sep 12 20:43:14.489: RADIUS: packet dump: 035D0014B289184BF5D8D667854D1EC3DEC90685
  Sep 12 20:43:14.489: RADIUS: expected digest: EDB6C64ADA12BCD81CD21C3EF28CDB27
  Sep 12 20:43:14.489: RADIUS: response authen: B289184BF5D8D667854D1EC3DEC90685
  Sep 12 20:43:14.489: RADIUS: request  authen: 24523041B70674CEC74B7BFF8788F723
  Sep 12 20:43:14.489: RADIUS: Response (93) failed decryptUser rejected
  And here are the results from the Operations/Authentications Tabe from ISE:
  There are no other SWs in the network, just the Core. I cannot test Wireless Authentication since the AccessPoint Switchport is also controlled by ISE and is not Authenticated right now. I can Authenticate the Active Directory Users using NTRadPing tool as a test and its succesful. AD and 6500 SW are using the same Radius key to communicate with ISE. Here is the AD usert Authentication:
  So I´ll proceed to re-configure the SW for Radius server and let you know if this is the solution.
  Thanks in advanced for your time and comments.

• Disturbing http connection from ISE to an unknown Internet address

  I have an ISE version 1.1.2.145 Patch-5 running in standalone mode.  No one has access to the ISE appliance except myself.  The ISE has an IP address of 1982.168.1.1
  today, I noticed that the ISE is attempting to make an outbound http to an unknown Internet IP address of files.liferay.com.  Fortunately, my checkpoint firewall does not allow this connection:
  Number:                          99427
  Date:                           17Nov2013
  Time:                              23:03:11
  Interface:                        eth2
  Origin:                         Corp_Firewall
  Type:                              Log
  Action:                         Drop
  Service:                          http (80)
  Source Port:                    58025
  Source:                           Corp_Firewall-192.168.1.1 (192.168.1.1)
  Destination:                    files.liferay.com (38.75.15.3)
  Protocol:                         tcp
  Rule:                           100
  Rule UID:                        {1234abcd-1111-xxxx-vvvv-aaaaaaaaaa}
  Rule Name:                    Corp_Firewall Log Drop rule
  Current Rule Number:        100-Corp_Firewall
  Product:                          Security Gateway/Management
  Product Family:              Network
  Policy Info:                     Policy Name: Corp_Firewall
                                  Created at: Sat Nov 16 01:30:50 2013
                                  Installed from: corp-mgmt-192.168.1.2
  The question is why the ISE is doing this?  What is the purpose for this http connection, some kind of "back door" by Cisco?

  Liferay is an open source web portal for hosting cloud applications.  This is definitely NOT a Cisco back-door to the ISE.
  About Us
  Enterprise. Open Source. For Life.
  Enterprise.
  Liferay, Inc. was founded in 2004 in response to growing demand for  Liferay Portal, the market's leading independent portal product that was  garnering industry acclaim and adoption across the world. Today,  Liferay, Inc. houses a professional services group that provides  training, consulting and enterprise support services to our clientele in  the Americas, EMEA, and Asia Pacific. It also houses a core development  team that steers product development.
  Open Source.
  Liferay Portal was, in fact, created in 2000 and boasts a rich open  source heritage that offers organizations a level of innovation and  flexibility unrivaled in the industry. Thanks to a decade of ongoing  collaboration with its active and mature open source community,  Liferay's product development is the result of direct input from users  with representation from all industries and organizational roles. It is  for this reason, that organizations turn to Liferay technology for  exceptional user experience, UI, and both technological and business  flexibility.
  For Life.
  Liferay, Inc. was founded for a purpose greater than revenue and profit  growth. Each quarter we donate to a number of worthy causes decided  upon by our own employees. In the past we have made financial  contributions toward AIDS relief and the Sudan refugee crisis through  well-respected organizations such as Samaritan's Purse and World Vision.  This desire to impact the world community is the heart of our company,  and ultimately the reason why we exist.
  You may want to investigate the applications being used on site.
  Hopefully this helps. 
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• In ISE (ise-3315) low reliability

  Hello.
  What will happen if ise- 3315 broke one HDD? In ISE low reliability - RAID no. How can a server for security do without RAID?
  How can we improve reliability?

  The best solution is going for the higher appliance or VMware solution for reference kindly see the following details
  Cisco Identity Services Engine Hardware Specifications
  Cisco Identity Services Engine Appliance 3315 (Small)
  Cisco Identity Services Engine Appliance 3355 (Medium)
  Cisco Identity Services Engine Appliance 3395 (Large)
  Processor
  1 x QuadCore Intel Core 2 CPU Q9400 @ 2.66 GHz
  1 x QuadCore Intel Xeon CPU E5504 @ 2.00 GHz
  2 x QuadCore Intel Xeon CPU E5504 @ 2.00 GHz
  Memory
  4 GB
  4 GB
  4 GB
  Hard disk
  2 x 250-GB SATA HDD
  2 x 300-GB SAS drives
  4 x 300-GB SFF SAS drives
  RAID
  No
  Yes (RAID 0)
  Yes (RAID 0+1)
  Removable media
  CD/DVD-ROM drive
  CD/DVD-ROM drive
  CD/DVD-ROM drive
  Network Connectivity
  Ethernet NICs
  4 x Integrated Gigabit NICs
  4 x Integrated Gigabit NICs
  4 x Integrated Gigabit NICs
  10BASE-T cable support
  Cat 3, 4, or 5 unshielded twisted pair (UTP) up to 328 ft (100 m)
  Cat 3, 4, or 5 UTP up to 328 ft (100 m)
  Cat 3, 4, or 5 UTP up to 328 ft (100 m)
  10/100/1000BASE-TX cable support
  Cat 5 UTP up to 328 ft (100 m)
  Cat 5 UTP up to 328 ft (100 m)
  Cat 5 UTP up to 328 ft (100 m)
  Secure Sockets Layer (SSL) accelerator card
  None
  Cavium CN1620-400-NHB-G
  Cavium CN1620-400-NHB-G
  Interfaces
  Serial ports
  1
  1
  1
  USB 2.0 ports
  4 (two front, two rear)
  4 (one front, one internal, two rear)
  4 (one front, one internal, two rear)
  Video ports
  1
  1
  1
  External SCSI ports
  None
  None
  None
  System Unit
  Form factor
  Rack-mount 1 RU
  Rack-mount 1 RU
  Rack-mount 1 RU
  Weight
  28 lb (12.7 kg) fully configured
  35 lb (15.87 kg) fully configured
  35 lb (15.87 kg) fully configured
  Dimensions (H x W x L)
  1.69 x 17.32 x 22 in.
  (43 x 440 x 55.9 mm)
  1.69 x 17.32 x 27.99 in.
  (43 x 42.62 x 711 mm)
  1.69 x 17.32 x 27.99 in.
  (43 x 42.62 x 711 mm)
  Power supply
  350W
  Dual 675W (redundant)
  Dual 675W (redundant)
  Cooling fans
  6; non-hot plug, nonredundant
  9; redundant
  9; redundant
  BTU rating
  1024 BTU/hr (at 300W)
  2661 BTU/hr (at 120V)
  2661 BTU/hr (at 120V)
  Compliance
  FIPS
  Uses FIPS 140-2 Level 1 validated cryptographic modules
  Uses FIPS 140-2 Level 1 validated cryptographic modules
  Uses FIPS 140-2 Level 1 validated cryptographic modules
  Cisco Secure Network Server 3415 (Small) - New
  Cisco Secure Network Server 3495 (Large) - New
  Processor
  1 x Intel Xenon Quad-Core 2.4 GHz E5-2609
  2 x Intel Xenon Quad-Core 2.4 GHz E5-2609
  Memory
  16 GB
  32 GB
  Hard disk
  1 x 600GB 6Gb SAS 10K RPM
  2 x 600GB 6Gb SAS 10K RPM
  RAID
  No
  Yes (RAID 0+1)
  CD/DVD-ROM drive
  No
  No
  Network Connectivity
  Ethernet NICs
  4 x Integrated Gigabit NICs
  4 x Integrated Gigabit NICs
  10/100/1000BASE-TX cable support
  Cat 5 UTP up to 328 ft (100 m)
  Cat 5 UTP up to 328 ft (100 m)
  Secure Sockets Layer (SSL) accelerator card
  None
  Cavium CN1620-400-NHB-G
  Interfaces
  Front Panel Connector
  1 x KVM console connector (supplies 2 USB, 1 VGA, and 1 serial connector)
  1 x KVM console connector (supplies 2 USB, 1 VGA, and 1 serial connector)
  Additional Rear Connectors
  Additional  interfaces including a VGA video port, 2 USB 2.0 ports, an RJ45 serial  port, 1 Gigabit Ethernet management port, and dual 1 Gigabit Ethernet  ports
  Additional  interfaces including a VGA video port, 2 USB 2.0 ports, an RJ45 serial  port, 1 Gigabit Ethernet management port, and dual 1 Gigabit Ethernet  ports
  System Unit
  Form factor
  Rack-mount 1 RU
  Rack-mount 1 RU
  Weight
  35.6 lbs (16.2 kg)
  26.8 lbs (12.1 kg)
  35 lb (15.87 kg) fully configured
  Dimensions (H x W x L)
  1.7 x 16.9 x 28.5 in.
  (4.32 x 43 x 72.4 cm)
  1.7 x 16.9 x 28.5 in.
  (4.32 x 43 x 72.4 cm)
  Power supply
  650W
  Dual 650W (redundant)
  Cooling fans
  5
  5
  Temperature: Operating
  32 to 104°F (0 to 40°C) (operating, sea level, no fan fail, no CPU throttling, turbo mode)
  32 to 104°F (0 to 40°C) (operating, sea level, no fan fail, no CPU throttling, turbo mode)
  Temperature: Nonoperating
  -40 to 158°F (-40 to 70°C)
  -40 to 158°F (-40 to 70°C)
  Compliance
  FIPS
  Uses FIPS 140-2 Level 1 validated cryptographic modules
  Uses FIPS 140-2 Level 1 validated cryptographic modules

• Secure Network Servers (SNS) in ISE version 1.1.4

  Hi board,
  I'm quite confused about the supported ISE versions for the new Cisco Secure Network Server 3415 and 3495.
  In nearly all documents it is stated, that the support for this HW will be introduced with ISE 1.2
  For example ISE Q&A
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  What else is being released with ISE 1.2*?
  A. Two new hardware platforms called the Cisco Network Secure Servers*. These new servers bring scalability improvement as they are based on the powerful Cisco UCS® C220 Rack Server platform and configured to support the Cisco Identity Services Engine* (ISE), Network Admission Control (NAC), and Access Control System (ACS)  security applications. The multiuse Cisco Secure Network Servers offer  many improvements over current ISE, ACS, and NAC appliances, and are the  platform recommended to deploy newer versions of these applications.  During ordering, customers can specify which security application they  would like to have installed. See the Product Details section for more  information.
  On the other hand, in the 1.1.x release notes it's stated, that the HW is supported in the current 1.1.4 release
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp417581
  New Features in Cisco ISE, Release 1.1.4 Cisco ISE, Release 1.1.4 provides support for the Cisco SNS 3400 Series  appliance. For details on the installing and configuring the Cisco SNS  3400 Series appliance, refer to the ISE 1.1.4 Installation Guide at the  following location:
  What is true now? What HW appliance do I chose, if I want to order today?
  I don't want to order the old appliances (33xx), because they are already EoL announced:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/eol_C51-728424.html
  Thanks!

  Hi Johanne,
  Cisco ISE software is packaged with your appliance  or image for installation. Cisco ISE, Release 1.2 is shipped on the  following platforms. After installation, you can configure Cisco ISE  with specified component personas (Administration, Policy Service, and  Monitoring) or as an Inline Posture node on the platforms.
  Supported Hardware and Personas:
  Hardware Platform Persona Configuration
  Cisco SNS-3415-K9
  (small)
  Any
  •Cisco UCS 1 C220 M3
  •Single socket Intel E5-2609 2.4-GHz CPU, 4 total cores, 4 total threads
  •16-GB RAM
  •1 x 600-GB disk
  •Embedded Software RAID 0
  •4 GE network interfaces
  Cisco SNS-3495-K92
  (large)
  Administration
  Policy Service
  Monitor
  •Cisco UCS C220 M3
  •Dual socket Intel E5-2609 2.4-GHz CPU, 8 total cores, 8 total threads
  •32-GB RAM
  •2 x 600-GB disk
  •RAID 0+1
  •4 GE network interfaces
  Cisco ISE-3315-K9 (small)
  Any
  •1x Xeon 2.66-GHz quad-core processor
  •4 GB RAM
  •2 x 250 GB SATA3 HDD4
  •4x 1 GB NIC5
  Cisco ISE-3355-K9 (medium)
  Any
  •1x Nehalem 2.0-GHz quad-core processor
  •4 GB RAM
  •2 x 300 GB 2.5 in. SATA HDD
  •RAID6 (disabled)
  •4x 1 GB NIC
  •Redundant AC power
  Cisco ISE-3395-K9 (large)
  Any
  •2x Nehalem 2.0-GHz quad-core processor
  •4 GB RAM
  •4 x 300 GB 2.5 in. SAS II HDD
  •RAID 1
  •4x 1 GB NIC
  •Redundant AC power
  Cisco ISE-VM-K9 (VMware)
  Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)
  •For CPU and memory recommendations, refer to the "VMware Appliance Sizing Recommendations" section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.7
  •Hard Disks (minimum allocated memory):
  –Stand-alone—600 GB
  –Administration—200 GB
  –Policy Service and Monitoring—600 GB
  –Monitoring—500 GB
  –Policy Service—100 GB
  •NIC—1 GB NIC interface required (You can install up to 4 NICs.)
  •Supported VMware versions include:
  –ESX 4.x
  –ESXi 4.x and 5.x
  1 Cisco Unified Computing System (UCS)
  2 Inline  posture is a 32-bit system and is not capable of symmetric  multiprocessing (SMP). Therefore, it is not available on the SNS-3495  platform.
  3 SATA = Serial Advanced Technology Attachment
  4 HDD = hard disk drive
  5 NIC = network interface card
  6 RAID = Redundant Array of Independent Disks
  7 Memory  allocation of less than 4GB is not supported for any VMware appliance  configuration. In the event of a Cisco ISE behavior issue, all users  will be required to change allocated memory to at least 4GB prior to  opening a case with the Cisco Technical Assistance Center.
  Please check the following link for fruther information.
  https://supportforums.cisco.com/message/3986953#3986953

• Mac-Address Different format for Authorization on Cisco ISE

  Dear All,
  I have problem with my Cisco ISE,
  This is the design :
  ISE ---- Core Switch ---- 3Com Switch --- PC User
  My Case:
  Authorization is based on Mac-address and Active Directory,
  But user with PC that connect to 3Com swtich is Deny by ISE because the Format Mac-address is different with Cisco,
  Mac-address Cisco format :  XX:XX:XX:XX:XX:XX
  Mac-address 3Com format :  XXXX-XXXX-XXXX
  3Com Switch type is TRICOM 4210 26-PORT.
  Anyone have experience with this? and how change the mac-address format in 3Com so user can authorized by Cisco ISE.
  note:
  authorization based on Active Directory is not problem with 3Com Switch.
  Based on my experience, Different product is different format mac-address, so this case not only for 3Com Switch.
  Thanks,
  Arika Wahyono

  I do not think Cisco will add these vendors to the supported switch matrix because then it would be a support issue that cisco would have to deal with, much like most of the AD issues I experienced when I worked in TAC. Your best bet would be to run the evaluation license instance in a lab and have a 3com switch point against that.
  Other than that I do not recommend upgrading to 1.2 without validating that the new "multi-vendor" MAB support will work on your switch.
  PS- Keep in mind that my comments is just my opinion so you may need to open a TAC case for an official answer.
  Tarik Admani
  *Please rate helpful posts*

• ISE Restore fails after 80% (Segmentation fault)

  Hi All
  After a system crash I'm trying to restore. I first did a application reset-config ise and then a restore over an ftp repository.
  After 80% it fails with at DB Syncup with a segmentation fault. Tried this with different Backup versions all having the latest patch level.
  Any Ideas ?
  Thanks
  Initiating restore.  Please wait...
  % restore in progress: Starting Restore...10% completed
  % restore in progress: Retrieving backup file from Repository...20% completed
  % restore in progress: Decrypting backup data...25% completed
  % restore in progress: Extracting backup data...30% completed
   Leaving the currently connected AD domain
   Please rejoin the AD domain from the administrative GUI
  % restore in progress: Stopping ISE processes required for restore...35% completed
  % restore in progress: Restoring ISE configuration database...40% completed
  % restore in progress: Updating Database metadata...70% completed
  % restore in progress: Restoring logs...75% completed
  % restore in progress: Performing ISE Database synchup...80% completed
  /opt/CSCOcpm/bin/isecfgrestore.sh: line 1248: 11162 Segmentation fault      (core dumped) curl -q -k --tlsv1 --connect-timeout 10 https://$MYIP/admin/index.jsp > /dev/null 2>&1
  /opt/CSCOcpm/bin/isecfgrestore.sh: line 1248: 11177 Segmentation fault      (core dumped) curl -q -k --tlsv1 --connect-timeout 10 https://$MYIP/admin/index.jsp > /dev/null 2>&1
  /opt/CSCOcpm/bin/isecfgrestore.sh: line 1248: 11187 Segmentation fault      (core dumped) curl -q -k --tlsv1 --connect-timeout 10 https://$MYIP/admin/index.jsp > /dev/null 2>&1
  ......and so on 
  Cisco Application Deployment Engine OS Release: 2.2
  ADE-OS Build Version: 2.2.0.162
  ADE-OS System Architecture: x86_64
  Copyright (c) 2005-2014 by Cisco Systems, Inc.
  All rights reserved.
  Version information of installed applications
  Cisco Identity Services Engine
  Version      : 1.3.0.876
  Build Date   : Tue Oct 28 04:02:29 2014
  Install Date : Fri Dec  5 08:31:15 2014     
  Cisco Identity Services Engine Patch 
  Version      : 1
  Install Date : Mon Jan 26 10:21:50 2015

  After sending the appropriate logs to the TAC I learned that even though the restore looked to have failed, at 80% the actual restore has been completed and what was failing was the node synchronization.   With this knowledge I was able to access the admin GUI and manually sync up the other nodes and have been running without issue.
  As it turns out this is  documented issue, CSCur36983, and will be fixed in release 1.4.
  Here is the reply I received from the TAC:
  "Based on the logs sent, we're definitely hitting CSCur36983 which will be
  fixed in ISE 1.4:
  https://tools.cisco.com/bugsearch/bug/CSCur36983/
  According to the bug details, when we reach 80% the restoration part itself
  has already completed. What is failing is a sync with the rest of the nodes
  in the deployment. Therefore, you can reload the ISE at this point and you
  should have access to the admin GUI again. From there, you can force a sync up  with the other nodes."